Hello,
We have recently been made aware of a security vulnerability related to Plex Media Server. This issue allowed an attacker with access to the server administrator’s Plex account to upload a malicious file via the Camera Upload feature and have the media server execute it. This could be done by setting the server data directory to overlap with the content location for a library on which Camera Upload was enabled. This issue could not be exploited without first gaining access to the server’s Plex account. This issue has been assigned CVE-2020-5741
Starting in Plex Media Server 1.19.3, we are mitigating this issue in the following ways:
- We have removed the ability to change the location of the server’s data directory via the API. Windows users can still change the directory location via the advanced server settings in the Registry.
- We also have added additional checks in the Camera Upload feature that disallow uploads to sensitive locations within the server data directory.
In summary: An attacker who already had admin access to a Plex Media Server could abuse the Camera Upload feature to make the server execute malicious code. Upgrade Plex Media Server to version 1.19.3 or newer and be careful with access to your admin account.
Thanks,
Plex Security Team
